The AlphaBay Bust Started With One Ridiculously Unsecured Email

We can't believe it was that simple.

On Thursday, the U.S. Department of Justice announced one of the biggest cybersecurity busts in history. The FBI, DEA, and several European law enforcement agencies shut down AlphaBay, the largest marketplace on the dark web for drugs and other illegal goods, and Hansa, the second-largest market, in an alley-oop sting operation that unfolded over the course of the past month. And it all started because the founder and administrator of AlphaBay, 25-year-old Alexander Cazes, was careless with his personal email.

On July 5, the FBI and Drug Enforcement Agency teamed with local law enforcement to raid Cazes’s apartment in Thailand. They arrested him and gained control of his computer, which was logged in to the AlphaBay servers as an administrator. American officials were negotiating for his extradition to the U.S. when Cazes died, allegedly by hanging himself in his cell.

The court documents filed to seize Cazes’s assets reveal government investigators allegedly tracked him down through a personal email address. The email was included in an early welcome message to AlphaBay and scattered across various forums that Cazes participated in.

Once new users joined the forums and entered their private email accounts, they were greeted with an email directly from AlphaBay welcoming them to the forums. The email address “Pimp_Alex_91@hotmail.com” was included in the header information of the AlphaBay welcome email.

Investigators claimed that “Pimp_Alex_91@hotmail.com” was also included in several other messages from the site, including password recovery emails. Searches for that email led investigators to forum posts by accounts with the same online handle Cazes used on AlphaBay, Alpha02. They eventually tracked down Cazes’ full name and LinkedIn account, which listed him as affiliated with EBX Technology, a company that investigators suspected was a front for AlphaBay.

Still, there’s a curious wrinkle in the case: The investigators might have had a tip. The welcome emails sent by AlphaBay included Cazes’s email back in 2014, but users that signed up in later years report that there was no such email. The seizure complaint says that investigators discovered Cazes’s email blooper in December 2016, nearly three full years since the welcome emails. An independent security researcher who goes by “the grugq” said on Twitter that it was highly likely that, two years after the mistake, someone sold Cazes out.